Bug#754201: marked as done (Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04))

[Debian Bug Tracking System]

Your message dated Fri, 22 May 2015 18:52:35 +0000
with message-id <e1yvs3f-0006t5...@franck.debian.org>
and subject line Bug#754201: fixed in zendframework 1.11.13-1.1+deb7u1
has caused the Debian Bug report #754201,
regarding Potential SQL injection in the ORDER implementation of Zend_Db_Select 
(ZF2014-04)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
754201: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: zendframework
Version: 1.12.5-0.1
Severity: grave
Tags: security upstream patch

Affected versions: v1.12.0 up to v1.12.6 (Squeeze and Wheezy are not
affected)
Upstream security issue:
        http://framework.zend.com/security/advisory/ZF2014-04
Upstream patch:
        
https://github.com/zendframework/zf1/commit/da09186c60b9168520e994af4253fba9c19c2b3d

Regards

David

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: zendframework
Source-Version: 1.11.13-1.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 754...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated zendframework package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 May 2015 11:50:05 -0400
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.11.13-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Frank Habermann <lordla...@lordlamer.de>
Changed-By: David Prévot <taf...@debian.org>
Description: 
 zendframework - powerful PHP framework
 zendframework-bin - binary scripts for zendframework
 zendframework-resources - resource scripts for zendframework
Closes: 743175 754201
Changes: 
 zendframework (1.11.13-1.1+deb7u1) wheezy-security; urgency=high
 .
   * Track Wheezy updates in the wheezy branch
   * Handle patches with gbp pq
   * Fix ZF2014-01: Potential XXE/XEE attacks.
     Numerous components utilizing PHP's DOMDocument, SimpleXML, and
     xml_parse functionality were vulnerable.
     http://framework.zend.com/security/advisory/ZF2014-01
     [CVE-2014-2681] [CVE-2014-2682] [CVE-2014-2683] (Closes: #743175)
   * Fix ZF2014-02: Security fix for OpenID.
     Potential security issue in login mechanism of ZendOpenId and
     Zend_OpenId consumer.
     http://framework.zend.com/security/advisory/ZF2014-02
     [CVE-2014-2684] [CVE-2014-2685] (Closes: #743175)
   * Fix ZF2014-04: Potential SQL injection.
     The implementation of the ORDER BY SQL statement in Zend_Db_Select of
     Zend Framework 1 contains a potential SQL injection when the query
     string passed contains parentheses.
     http://framework.zend.com/security/advisory/ZF2014-04
     [CVE-2014-4914] (Closes: #754201)
   * Fix ZF2014-05: Potential XML eXternal Entity injection vectors
     http://framework.zend.com/security/advisory/ZF2012-05
     [CVE-2014-8088]
   * Fix ZF2014-06: SQL injection vector when manually quoting values
     http://framework.zend.com/security/advisory/ZF2014-06
     [CVE-2014-8089]
   * Fix ZF2015-04: CRLF injections in HTTP and Mail
     http://framework.zend.com/security/advisory/ZF2015-04
     [CVE-2015-3154]
Checksums-Sha1: 
 02d0223186e9c574e8437f77951beceb6abfe0d4 1586 
zendframework_1.11.13-1.1+deb7u1.dsc
 b0921984bd2edc64a238c0a8db2f5be57844a751 20217474 
zendframework_1.11.13.orig.tar.gz
 d698e345665c918ab97e4a38879133d84321a568 36049 
zendframework_1.11.13-1.1+deb7u1.diff.gz
 be9ee1a3a4e94418e909b0f312127b745070d4cc 3734178 
zendframework_1.11.13-1.1+deb7u1_all.deb
 990965b1df9f06e2bab92f127c27f5f7a5d3a185 10558 
zendframework-bin_1.11.13-1.1+deb7u1_all.deb
 8b281411d52c3e3187f9d7ab2b6babc648035616 38912 
zendframework-resources_1.11.13-1.1+deb7u1_all.deb
Checksums-Sha256: 
 a1e351f7898b3cc30b1fc8846cb30924c0e75884ab364f521391fbbeaf43148f 1586 
zendframework_1.11.13-1.1+deb7u1.dsc
 2d7349ae9133bd4fee39c5c7ab605c70d3a6db89bca229b4105a9b53b6a12996 20217474 
zendframework_1.11.13.orig.tar.gz
 f64c6619a7ccb6603d3454816ea95c4a3584dbe453a6b8dde0349ff6d8009f94 36049 
zendframework_1.11.13-1.1+deb7u1.diff.gz
 5d04f52220bdd6c2f3e28505abcea4de222572a0f658f39b6f0822939ccd1770 3734178 
zendframework_1.11.13-1.1+deb7u1_all.deb
 29eacc71f3d35b5bdabd64d578afd1a47f2d342ecd11331880011a960eb98530 10558 
zendframework-bin_1.11.13-1.1+deb7u1_all.deb
 f7e8d6e2b980761481060d972d8ee44105fc8ec17627ad3c2b5e2b0007991c5d 38912 
zendframework-resources_1.11.13-1.1+deb7u1_all.deb
Files: 
 d22165ce2e08e5d1006cf05c3ec748e2 1586 web optional 
zendframework_1.11.13-1.1+deb7u1.dsc
 db77b24f2ad4dbaf36f2a5b517522780 20217474 web optional 
zendframework_1.11.13.orig.tar.gz
 a43fc9d45858090df087f3dae3a113a8 36049 web optional 
zendframework_1.11.13-1.1+deb7u1.diff.gz
 35bee7246dfdae19e4d4c54fa5a8b561 3734178 web optional 
zendframework_1.11.13-1.1+deb7u1_all.deb
 ab5e9d4aabb8f3a215b48c3f75e1c125 10558 web optional 
zendframework-bin_1.11.13-1.1+deb7u1_all.deb
 adff59c83b2454d0879865f2b986c820 38912 web optional 
zendframework-resources_1.11.13-1.1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVVMb/AAoJEAWMHPlE9r08VSMH/im0BMokSzAtuGQ/a+mxeEft
H3FVo96I4w8J/o3NKCAy2nfsLA9jTOiKHzfz/LQ4o0sBh3mzEqsZiovEuq9XYRH6
dfAPL8Av8TPTsPaMxUl4cAQc/rllp4OyeOILETw9xaeA+MEdyV/zNiBJKTxJIR8q
Nwt77M6AT3dyz1xQjq2/3zcMUSCRDnrlHIo0D09rNLKWHvjL3drJ1D6TFJwhRqq5
TAtGfUZ1dWfbicES7OHqDhQo2MBgsbtUtnNrCW1cHeLVUcQGbg7r8ozwpphpl7xY
cGv3QVnclzhV+r8nemPbB1dCpdK0mfc/rnL+Nsfc/ooUWRBIzX+VgOIJiW9WE4Q=
=4CgT
-----END PGP SIGNATURE-----

--- End Message ---